diff --git a/backport-policycoreutils-handle-argument-counter-of-zero.patch b/backport-policycoreutils-handle-argument-counter-of-zero.patch deleted file mode 100644 index e8be222c96d7d1721a5b2f2aa2436e8b57d2dfdd..0000000000000000000000000000000000000000 --- a/backport-policycoreutils-handle-argument-counter-of-zero.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 9229f8b3b7348e4990c8493365d68ff241cfbeb7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Wed, 26 Jan 2022 15:56:45 +0100 -Subject: [PATCH] policycoreutils: handle argument counter of zero -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The number of arguments passed to main(), argc, can be zero if the -pathname passed to execve(2) is NULL, e.g. via: - - execve("/path/to/exe", {NULL}, {NULL}); - -Also avoid NULL pointer dereferences on the argument value. - -Signed-off-by: Christian Göttsche ---- - policycoreutils/run_init/open_init_pty.c | 2 +- - policycoreutils/secon/secon.c | 3 +++ - policycoreutils/setfiles/setfiles.c | 6 +++++- - 3 files changed, 9 insertions(+), 2 deletions(-) - -diff --git a/policycoreutils/run_init/open_init_pty.c b/policycoreutils/run_init/open_init_pty.c -index 150cb45ee..19101c506 100644 ---- a/policycoreutils/run_init/open_init_pty.c -+++ b/policycoreutils/run_init/open_init_pty.c -@@ -244,7 +244,7 @@ int main(int argc, char *argv[]) - rb_init(&inbuf, inbuf_mem, sizeof(inbuf_mem)); - rb_init(&outbuf, outbuf_mem, sizeof(outbuf_mem)); - -- if (argc == 1) { -+ if (argc < 2) { - printf("usage: %s PROGRAM [ARGS]...\n", argv[0]); - exit(1); - } -diff --git a/policycoreutils/secon/secon.c b/policycoreutils/secon/secon.c -index a0957d091..d624fa136 100644 ---- a/policycoreutils/secon/secon.c -+++ b/policycoreutils/secon/secon.c -@@ -333,6 +333,9 @@ static void cmd_line(int argc, char *argv[]) - opts->from_type = OPTS_FROM_CUR; - - if (opts->from_type == OPTS_FROM_ARG) { -+ if (!argv[0]) -+ errx(EXIT_FAILURE, "No argument given"); -+ - opts->f.arg = argv[0]; - - if (xstreq(argv[0], "-")) -diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c -index 44cab46d0..ab7016aca 100644 ---- a/policycoreutils/setfiles/setfiles.c -+++ b/policycoreutils/setfiles/setfiles.c -@@ -163,6 +163,10 @@ int main(int argc, char **argv) - policyfile = NULL; - - r_opts.abort_on_error = 0; -+ if (!argv[0]) { -+ fprintf(stderr, "Called without required program name!\n"); -+ exit(-1); -+ } - r_opts.progname = strdup(argv[0]); - if (!r_opts.progname) { - fprintf(stderr, "%s: Out of memory!\n", argv[0]); -@@ -423,7 +427,7 @@ int main(int argc, char **argv) - - altpath = argv[optind]; - optind++; -- } else if (argc == 1) -+ } else if (argc < 2) - usage(argv[0]); - - /* Set selabel_open options. */ diff --git a/backport-python-Split-semanage-import-into-two-transactions.patch b/backport-python-Split-semanage-import-into-two-transactions.patch deleted file mode 100644 index 8f1a1acd598e70b8d3a10324c8453abee1006ad2..0000000000000000000000000000000000000000 --- a/backport-python-Split-semanage-import-into-two-transactions.patch +++ /dev/null @@ -1,63 +0,0 @@ -From abaf812c3877f6b595eb8643582eacef2dd4df3f Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Mon, 30 May 2022 14:20:21 +0200 -Subject: [PATCH] python: Split "semanage import" into two transactions - -First transaction applies all deletion operations, so that there are no -collisions when applying the rest of the changes. - -Fixes: - # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024 - # semanage export | semanage import - ValueError: Port tcp/3024 already defined - -Signed-off-by: Vit Mojzis ---- - python/semanage/semanage | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/python/semanage/semanage b/python/semanage/semanage -index 8f4e44a7..1d828128 100644 ---- a/python/semanage/semanage -+++ b/python/semanage/semanage -@@ -852,10 +852,29 @@ def handleImport(args): - trans = seobject.semanageRecords(args) - trans.start() - -+ deleteCommands = [] -+ commands = [] -+ # separate commands for deletion from the rest so they can be -+ # applied in a separate transaction - for l in sys.stdin.readlines(): - if len(l.strip()) == 0: - continue -+ if "-d" in l or "-D" in l: -+ deleteCommands.append(l) -+ else: -+ commands.append(l) -+ -+ if deleteCommands: -+ importHelper(deleteCommands) -+ trans.finish() -+ trans.start() -+ -+ importHelper(commands) -+ trans.finish() - -+ -+def importHelper(commands): -+ for l in commands: - try: - commandParser = createCommandParser() - args = commandParser.parse_args(mkargv(l)) -@@ -869,8 +888,6 @@ def handleImport(args): - except KeyboardInterrupt: - sys.exit(0) - -- trans.finish() -- - - def setupImportParser(subparsers): - importParser = subparsers.add_parser('import', help=_('Import local customizations')) --- -2.23.0 diff --git a/backport-python-audit2allow-close-file-stream-on-error.patch b/backport-python-audit2allow-close-file-stream-on-error.patch deleted file mode 100644 index fc85cf4d5c00b1ebbc57a684dda5234b143e05a1..0000000000000000000000000000000000000000 --- a/backport-python-audit2allow-close-file-stream-on-error.patch +++ /dev/null @@ -1,48 +0,0 @@ -From c14a86af9a2304175e54897634f808b42345325b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Fri, 20 May 2022 14:51:07 +0200 -Subject: [PATCH] python/audit2allow: close file stream on error -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - - sepolgen-ifgen-attr-helper.c: In function ‘load_policy’: - sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE ‘fp’ [CWE-775] [-Wanalyzer-file-leak] - 196 | fprintf(stderr, "Out of memory!\n"); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Signed-off-by: Christian Göttsche -Acked-by: James Carter ---- - python/audit2allow/sepolgen-ifgen-attr-helper.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c -index 6f3ba962..5e6cffc1 100644 ---- a/python/audit2allow/sepolgen-ifgen-attr-helper.c -+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c -@@ -194,12 +194,14 @@ static policydb_t *load_policy(const char *filename) - policydb = malloc(sizeof(policydb_t)); - if (policydb == NULL) { - fprintf(stderr, "Out of memory!\n"); -+ fclose(fp); - return NULL; - } - - if (policydb_init(policydb)) { - fprintf(stderr, "Out of memory!\n"); - free(policydb); -+ fclose(fp); - return NULL; - } - -@@ -208,6 +210,7 @@ static policydb_t *load_policy(const char *filename) - fprintf(stderr, - "error(s) encountered while parsing configuration\n"); - free(policydb); -+ fclose(fp); - return NULL; - } - --- -2.23.0 diff --git a/backport-semodule-avoid-toctou-on-output-module.patch b/backport-semodule-avoid-toctou-on-output-module.patch deleted file mode 100644 index ee4779396b0f2ac4393fec1ea1543a66a5fa1fab..0000000000000000000000000000000000000000 --- a/backport-semodule-avoid-toctou-on-output-module.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 6d02b2fa29954e239721907e1fce238f25ea4f2f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Fri, 20 May 2022 15:19:52 +0200 -Subject: [PATCH] semodule: avoid toctou on output module -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Do not check for file existence and open afterwards, open with the -exclusive flag (supported in Glibc and musl 0.9.6 and also standardized -in C11). - -Found by GitHub CodeQL. - -Signed-off-by: Christian Göttsche -Acked-by: Nicolas Iooss ---- - policycoreutils/semodule/semodule.c | 13 +++++-------- - 1 file changed, 5 insertions(+), 8 deletions(-) - -diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c -index 1ed8e690..48bc28dd 100644 ---- a/policycoreutils/semodule/semodule.c -+++ b/policycoreutils/semodule/semodule.c -@@ -550,15 +550,12 @@ int main(int argc, char *argv[]) - goto cleanup_extract; - } - -- if (access(output_path, F_OK) == 0) { -- fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext); -- result = -1; -- goto cleanup_extract; -- } -- -- output_fd = fopen(output_path, "w"); -+ output_fd = fopen(output_path, "wx"); - if (output_fd == NULL) { -- fprintf(stderr, "%s: Unable to open %s\n", argv[0], output_path); -+ if (errno == EEXIST) -+ fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext); -+ else -+ fprintf(stderr, "%s: Unable to open %s: %s\n", argv[0], output_path, strerror(errno)); - result = -1; - goto cleanup_extract; - } --- -2.12.3 - diff --git a/policycoreutils-3.4.tar.gz b/policycoreutils-3.5.tar.gz similarity index 44% rename from policycoreutils-3.4.tar.gz rename to policycoreutils-3.5.tar.gz index 403ac52e289f9202b05c86821e107ed21517ebe8..fc432fe6053d580a3b11391c3f7f93d51d6e91dc 100644 Binary files a/policycoreutils-3.4.tar.gz and b/policycoreutils-3.5.tar.gz differ diff --git a/policycoreutils.spec b/policycoreutils.spec index 33bfe5d5b3004d15fb7c4341d50c61d9622d6f18..e4cd7fd5b76a4682381fdb6aa7387e1edbb6190e 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -2,7 +2,7 @@ %bcond_with sandbox Name: policycoreutils -Version: 3.4 +Version: 3.5 Release: 1 Summary: Policy core utilities of selinux License: GPLv2 @@ -16,14 +16,11 @@ Source11: selinux-autorelabel-generator.sh Patch0: fix-fixfiles-N-date-function.patch Patch1: fix-fixfiles-N-date-function-two.patch -Patch2: backport-python-Split-semanage-import-into-two-transactions.patch -Patch3: backport-python-audit2allow-close-file-stream-on-error.patch -Patch4: backport-semodule-avoid-toctou-on-output-module.patch BuildRequires: gcc BuildRequires: pam-devel libsepol-static >= %{version} libsemanage-static >= %{version} libselinux-devel >= %{version} libcap-devel audit-libs-devel gettext BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python3-devel libcap-ng-devel -BuildRequires: systemd systemd-units +BuildRequires: systemd systemd-units python3-pip Requires: libsepol >= 3.3 libselinux-utils util-linux grep gawk diffutils rpm sed coreutils Provides: %{name}-restorecond = %{version}-%{release} @@ -174,7 +171,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ %files -f %{name}.lang -%license policycoreutils/COPYING +%license policycoreutils/LICENSE %doc %{_usr}/share/doc/%{name} %config(noreplace) %{_sysconfdir}/sestatus.conf %config(noreplace) %{_sysconfdir}/pam.d/newrole @@ -234,7 +231,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ %{python3_sitelib}/sepolicy/network.py* %{python3_sitelib}/sepolicy/transition.py* %{python3_sitelib}/sepolicy/sedbus.py* -%{python3_sitelib}/sepolicy*.egg-info +%{python3_sitelib}/sepolicy*.dist-info %{python3_sitelib}/sepolicy/booleans.py* %{python3_sitelib}/sepolicy/communicate.py* %{python3_sitelib}/sepolicy/generate.py* @@ -260,6 +257,9 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ %{_mandir}/* %changelog +* Mon Jul 17 2023 zhangguangzhi - 3.5-1 +- update version to 3.5 + * Thu Feb 2 2023 zhangguangzhi - 3.4-1 - update version to 3.4